Each of the NSLs that we are publishing initially included an indefinite nondisclosure requirement that prohibited us from sharing any information about the letter or publicly acknowledging that we received an NSL.

We recently requested that these nondisclosure requirements be lifted, under the “reciprocal notice” procedures of the USA FREEDOM Act. More detail on the procedures that we followed is below.

In response to our requests, the FBI lifted the gag orders with respect to all information in each of the NSLs we are making available today. Before publishing the letters publicly, however, we decided to redact the following information from each letter: (1) the site URL about which the government requested information, (2) names of Automattic personnel to whom the request was addressed, and (3) name and contact information for the FBI personnel involved in making the information request.

We made these limited redactions in order to protect privacy interests. The NSLs are otherwise what we received when they were served onto us.

The five NSLs are identical. (PDF links included at the bottom of the Automattic post.) Automattic responded to four of those, but had none of the information requested for the fifth. After the gag orders were lifted by the FBI, Automattic informed the targeted users.

The boilerplate NSLs ask for far more info than the FBI's own legal guidance suggests it should be able to request. A 2008 DOJ legal memo says NSLs should be constrained to "phone billing records." The FBI has apparently decided to interpret this as any and all electronic transactional records when it comes to internet service providers. Here's what's requested in the Automattic NSLs:

Subscriber name and related subscriber information

Account number(s)

Date the account opened or closed

Physical and or postal addresses associated with the account

Subscriber day/evening telephone numbers

Screen names or other on-line names associated with the account

All billing and method of payment related to the account including alternative billed numbers or calling cards

All e-mail addresses associated with the account to include any and all of the above information for any secondary or additional e-mail addresses and/or user names identified by you as belonging to the targeted account in this letter

The names of any and all upstream and providers facilitating this account's communications

This is where the FBI starts digging, apparently. By demanding all this info from a single service provider, the FBI can issue NSLs and subpoenas to a large number of additional third parties, even though the DOJ's legal guidance suggests the FBI's NSL requests should be far more constrained.

The recently-instituted challenge options are better than what was in place previously, but Automattic points out there's still plenty of room for improvement.

We also continue to believe that NSLs pose serious constitutional concerns, particularly because they indefinitely prevent companies like us from speaking about them, and informing our users or the public about the NSLs that we receive. The procedures used to lift nondisclosure requirements are flawed because they put the burden of seeking an end to secrecy almost entirely on the companies, like Automattic, who receive NSLs.

The FBI has almost zero legal obligation to perform proactive reviews of issued NSL gag orders. Recipients must spend their time and money challenging them. Fortunately, the challenge process now requires much less of these scarce resources. Automattic has its own boilerplate form for challenging boilerplate NSL gag orders -- one it's willing to share with any NSL recipient --- so we should be seeing more of these released in the near future.

Based on privacy and safety considerations, the FBI further requests that your client continue to maintain the confidentiality of the name and telephone number of the Special Agents contained within the NSL, located in paragraphs 10 and 14.

Thus, Automattic's third category of redactions were made at the FBI's request.

Re: Re: Redactions

Thus, Automattic's third category of redactions were made at the FBI's request.

How does that excuse sheltering abusive requests from disclosure? I never want my name attached to anything embarrassing I do, but I don't get to use the force of law to ensure that. If this was truly an FBI "request", then Automattic had no obligation to comply, and based on past FBI conduct, I can't see why they would want to. I rather doubt they're going to end up on the FBI's nice list just because they withheld that.

Re: Re: Re: Redactions

Automattic's third category of redactions were made at the FBI's request.

How does that excuse sheltering abusive requests from disclosure?

If you believe that Acting Deputy General Counsel Karen D. Miller's request for the third category of redactions was improper or abusive, then I'd certainly encourage you to loudly complain to your United States congressional delegation. Your senators and representative should help you.

Re: Re: Re: Re: Redactions

While I suspect that your claim that Congress would take a serious interest in this is a tell that you're just trolling, you missed a key distinction. Miller's request was disclosed. I think it was improper for Miller to request redactions with no basis in law, since it seems the FBI grossly overstepped its bounds in the demand letters. However, I also expect that Miller shelters every letter as a matter of course, without reviewing the letters at issue.

It was the original NSL that was abusive and should not have been sheltered, but instead disclosed in full (without redaction) and promptly upon completion of the investigation for which it was issued. Once the investigation is complete, the FBI has no basis for keeping their conduct secret, yet it took an affirmative request from the provider to get the nondisclosure provision lifted at all, and likely not in a very timely manner. I think it very unlikely that the FBI notified Automattic promptly that the investigation was concluded (thereby opening the possibility that Automattic might prevail in a request to be ungagged). Rather, Automattic likely made their own judgment about when to request permission to speak. I appreciate that they spent the resources to do it all. I find it unconscionable that they had to put so much effort into it.

Re: Re: Re: Re: Re: Redactions

While I suspect that your claim that Congress would take a serious interest in this is a tell that you're just trolling…

Which one of us is “just trolling” here?

When you call up your congressman, the phone often gets answered by a relatively low-level staff person. Don't angrily swear at the congressman's staff: They'll just hang up the phone. Or maybe the call got disconnected for some other reason—you can try calling back again.

Re: Redactions

Who were the targets of these NSLs? I mean, this is crucial information to know whether they are being used to fight crime (including terrorism because it's just more crime) or journalists and people who simply annoy corporations and the govt. I believe this is even more important than knowing what they asked for (which conveniently from what I got from the article is everything anyway).

Telephone billing records

Subscriber name and related subscriber information
Account number(s)

Date the account opened or closed
Physical and or postal addresses associated with the account
Subscriber day/evening telephone numbers
All billing and method of payment related to the account including alternative billed numbers or calling cards
Plain old telephone(s) (POTS), ISDN circuit(s), Voice over internet protocol (VOIP)

All of this would seem appropriate under "telephone billing records".

Screen names or other on-line names associated with the account
All e-mail addresses associated with the account to include any and all of the above information for any secondary or additional e-mail addresses and/or user names identified by you as belonging to the targeted account in this letter
Internet Protocol (IP) addresses assigned to this account and related e-mail accounts
Uniform Resource Locator (URL) assigned to the account
*Cable modem service, Internet cable service, Digital Subscriber Line (DSL) asymmetrical/symmetrical relating to this account

None of this seems to fall under that heading, however.

*The names of any and all upstream and providers facilitating this account's communications